Curtin University of Technology
advertisement
Curtin University of Technology INTERNAL AUDIT MANUAL INDEX Part 1: GENERAL POLICIES & STANDARDS Section 1.Audit Charter Section 2.Audit Standards and Guiding Principles Section 3.Audit and Compliance Committee Charter Part 2: PERSONNEL & ADMINISTRATION Section Section Section Section 4.General Procedures 5.Personnel 6.Administration 7.Time Usage Analysis Part 3: AUDIT PLANNING Section Section Section Section 8.Planning 9.Strategic Audit Plan 10.Annual Audit Plan 11.Field Audit Plan Part 4: AUDIT METHODOLOGY Section Section Section Section Section Section Section Section Section Section 12.The Audit Cycle - Summary 13.Risk and Control Analysis (RACA) 14.Audit Programs 15.Working Papers - General 16.Current Working Papers 17.Reference File 18.Audit Reports 19.Working Paper Review 20.Flowchart Documentation 21.Audit Sampling Part 5: MAJOR PROJECT DEVELOPMENT AUDITS Section Section Section Section 22.Audit Objectives 23.Audit Approach 24.Major Project Development Audit Working Papers 25.System Documentation Part 6: AUDIT EVALUATION AND PERFORMANCE Section 26.Audit Client Questionnaire Form Section 27.Performance Reviews - KRIs and KPIs Part 7: MISCELLANEOUS Section 28.LAN Permanent File Naming Standards Section 29.Important LAN Directories/Files Part 8: OTHER SPECIAL AUDIT WORK Section 30.Audit Certificates Section 31.Operational / Performance Based Audits Section 32.Special Investigations APPENDICES 1.Document: Organization Chart 2.Form: Timesheet 3.Form: Working Papers Index 4.Document: Major Project Development - Checklist 5.Form: Audit Review Notes 6.Form: Field Audit Plan 7.Form: Audit Testing Template 8.Form: Audit Checklist 9.Example: Audit Engagement Letter 10.Example: Email Notification of Audit Commencement 11.Example: Major Report Draft Cover Page 12.Example: Major Report 13.Example: Minor Report 13A.Example: Audit Observations 14.Form: Risk and Control Analysis (RACA) 15.Form: Points for Attention at Next Audit (PANA) 16.Example: Audit Program 17.Example: Working Papers 18.Form: Appendix Cover 19.Document: Reference File 20.Form: Audit Budgeted Hours Estimate Sheet 21.Form: Audit Client Questionnaire Form 22.Example: IS Major Report 23.Example: Special Review Report FOREWORD The purpose of this manual is to provide Audit staff with a source of reference for general audit procedures and routine, in accordance with the Audit Charter (refer Section 1). Any instruction contained herein which is inconsistent with Curtin University of Technology's internal policies and procedures is void to the extent of that inconsistency. Part 1 - General Policies & Standards Section 1 - Audit Charter The Internal Audit Charter was reviewed by the Audit and Compliance Committee in 2007 and approved by the Council on 7 May 2008. It can be found on this website. Section 2 - Audit Standards and Guiding Principles Introduction The basic objective of Internal Audit is to provide independent, objective assurance and consulting services designed to add value and improve the University's operations. To assist auditors in achieving an acceptable level of performance, The Institute of Internal Auditors, an international body, has issued a Professional Practices Framework which is intended to be used throughout the world in the conduct of internal audit assignments. Refer to the IIA website for further information. In specific areas of specialisation, such as audits of financial records and audits related to computer-based systems and functions, other authoritative bodies have issued audit statements and guidelines. In particular, the Australian accounting bodies have issued statements on auditing standards and practices, having regard to generally accepted principles applying in both the public and private sector, for audits of financial statements. The Information Systems Audit and Control Association (ISACA), another international body, has developed standards for Information Technology auditing. General Standards General auditing standards in operation for Internal Audit at Curtin University of Technology are as follows: Qualifications of Audit Staff Audits must be performed by or under the supervision of a person or persons having the managerial, technical and perceptive skills possessed by an experienced and competent internal auditor. Requirements for staff performing audits are: General: Knowledge of auditing theory and practice and the education, ability and experience to apply such knowledge to a variety of auditing assignments. Knowledge and understanding of the operations of the organisation acquired through education and experience. Knowledge of management principles and practices. Specific: A level of experience and appropriate qualifications to perform as a competent internal auditor. For audits of financial statements - appropriate qualifications providing a detailed understanding of accounting standards concepts, principles and practices. For audits of computer-based systems and environments - appropriate qualifications providing a detailed understanding of computing concepts, principles and practices. Reasonable Professional Care Auditors must take reasonable professional care in specifying evidence required, in gathering and evaluating the evidence and in reporting findings. The standard requires professional performance of a quality appropriate to the complexities of particular audit assignments. It imposes upon auditors the need to be alert for situations, control weaknesses and transactions which could be indicative of fraud, improper or unlawful expenditure, unauthorised operations, waste and inefficiency. In determining which audit tests and procedures are to be applied to achieve reasonable professional care, the following matters are relevant: Requirements to meet audit objectives. Relative materiality of matters to be investigated. Prior knowledge of the effectiveness of the systems of internal control. Estimate of costs of implementing internal audit plans in relation to likely benefits to be derived. Independence Independence is essential to the effectiveness of Internal Auditing. This independence is obtained primarily through organisation status and objectivity: The organisational status of the Internal Auditing function, and the support accorded to it by management, are the major determinants of its effectiveness. The Director Internal Audit, therefore, is responsible to the Audit and Compliance Committee whose authority is sufficient to ensure both a comprehensive range of audit coverage, and the adequate consideration of, and effective action on, the audit findings and recommendations. Whilst the auditor may recommend standards of control for systems or review procedures before they are implemented, the design, installation and operation of systems or drafting of procedures for systems is not an Audit function. Performing such activities is presumed to impair audit objectivity and could be seen to be displacing the role of management. Confidentiality Information acquired by an auditor in the course of audit duties must not be used for purposes outside the scope of assessment and formation of an opinion and in reporting according to audit responsibilities. It is essential that the auditor maintain confidentiality regarding audit matters and information arising from audit tasks. Evidence Auditors must obtain all evidence necessary for the effective completion of the audit. The decision on how much evidence is enough and what type to seek requires the exercise of the auditor's judgement based on experience, education, reasoning and intuition. A thorough knowledge of the concepts underlying audit evidence will help the auditor to improve the audit quality and efficiency. Evidence needed to support the auditor's findings may be: physical evidence obtained by observation and enquiry; testimonial evidence from interview and statements from involved persons; documentary evidence consisting of legislation, reports, minutes, memoranda, etc., contracts, extracts from accounting records, formal charts and specifications of documentation flows, systems design, operations and organisation structure; and analytical evidence secured by analysis of information collected by the auditor. Regardless of the type, the evidence involved should meet basic tests of sufficiency, competence and relevance. The audit working papers should reflect the details of the evidence upon which the auditor has relied or include copies of papers containing the evidence. Adequate Documentation Auditors must provide adequate documentation of the audit, including the base and extent of planning, the work performed and the results and findings of the audit. Adequate documentation of audit planning, methods, procedures, findings and results is necessary in order to maintain an acceptable level of auditing service by providing: the Audit Manager with an adequate basis and sufficient evidential material to support any opinions expressed in the Audit Reports; evidence of the achievement of the required standard of audit performance; an effective link between successive audits; and a basis for quality assurance reviews. Specifically, the following documentation is relevant and should be retained on file: Planning procedures; Information provided by the client or other parties that is significant to the findings or the recommendations; Principal procedures and findings to the extent that these are not documented in the final report; Evidence of review of work papers by the Director Internal Audit; and Client correspondence and reporting, including the final report (only the first draft and final copy of the report). Documentation that is not referred to in the working papers or report findings is not to be retained on file. Operating Standards Operating auditing standards in operation for Internal Audit at Curtin University of Technology are as follows: Planning An audit plan must be prepared and revised as necessary in the course of an audit to cover all material areas under examination. This standard requires sufficient advance planning to provide a basis for effective audits. This is the first step towards effective and efficient utilisation of staff time. The audit planner is expected to be thoroughly familiar with the operations of the organisation and be concerned broadly with medium to long-term horizons to ensure systematic and adequate coverage of activities over time. Supervision Where work is assigned to members of an audit team, each member must have sufficient proficiency and training to carry out assigned tasks. Their work must be carefully supervised and reviewed. The most effective way to control quality and to expedite the efficient and effective progress on an assignment is by supervision from the beginning of preparatory work to the completion of the report in draft form. In particular, the Director Internal Audit is required to oversee and assess the audit work program and audit budget throughout the course of each audit. In addition, it is the Director Internal Audit's responsibility to approve any change to the audit budget or deviation from the audit work program on each audit. Statutory and Regulatory Requirements One specific aspect to be covered is a review of compliance with statutory and regulatory requirements, organisation plans and policies, directives and procedures. This standard places an onus on the auditor to advise management of any instances where the organisation has not complied with pertinent laws and regulations. In reviewing compliance, the auditor should examine enabling legislation and general regulations as appropriate. Internal Controls The system of internal control is conceptual in nature. It is the integrated collection of control mechanisms used to achieve desired results. A control is any mechanism or practice used to enhance the probability that required results will be achieved. Internal auditors must systematically evaluate the nature of the organisation's operations and systems of internal control to assess the extent to which they may be relied upon to: ensure the integrity of management data; ensure that the organisation's assets are safeguarded; ensure compliance with policies, plans, procedures, standards, laws and regulations; and promote effectiveness, efficiency and economy in organisational practices. Internal controls comprise the plan of organisation and the methods and measures adopted to safeguard assets, comply with laws and regulations, check the accuracy and reliability of management data, promote operational efficiency and encourage adherence to prescribed managerial policies. These controls embrace the policies, procedures and practices established by management as well as the plan of organisation and other measures intended to promote and facilitate their implementation. Internal control is the whole system of control, financial or otherwise, established by management in order to carry on the business of the organisation in an orderly manner. The characteristics of a sound system of internal control include: a plan of organisation providing segregation of responsibilities and duties appropriate for safeguarding the organisation's resources, and accountability for the economical and efficient utilisation of such resources; a system of authorisation and recording procedures adequate to provide control over resources; sound, formal practices to be followed in the performance of duties and functions of each of the organisational units; procedures to ensure the selection of personnel of a quality commensurate with their responsibility; and checks and balances to ensure desired results are achieved. Types of control include: management; organisation; accounting; and physical controls. A complete review of internal controls as a specific requirement would often be prohibitive in terms of available resources. An examination of all "controls" would not be efficient (and would not always add value) because not all are significant - in fact, the importance of controls is directly linked to the assessment of business risk within an auditable area under review. The auditor should exercise professional judgement and should concentrate on controls which are important within the full scope of the system under review, i.e. key controls. Reporting Each audit report should: be clear, concise and complete; explain clearly, where applicable, the scope, objectives and limitations of the audit; include an audit opinion; present findings, conclusions and recommendations in order of importance (based on risks assessed) and in an objective and dispassionate manner; include only factual information and findings and conclusions adequately supported by evidence; reflect the balance between critical comments and recognition of management and initiated improvements; identify and explain issues or questions needing further study and consideration by the auditor or others; highlight any departure from policies, plans, procedures, standards, laws and regulations; and recognise the views of management which should be considered for presentation in the final audit report. Management Responsibilities The responsibilities of the Director Internal Audit include the following: Organising The Director Internal Audit should define and put into effect organisational arrangements appropriate to provide the quality and level of auditing services required at reasonable cost. Organising involves the establishment of the organisational structure and includes the division of work into manageable units and the specification of the span of management. It involves the use of such tools as organisation charts, position descriptions, flowcharts, procedures, records and reports to establish the flow of information and the responsibilities and authorities of individuals for performing activities, establishing information trails, and setting standards of performance. Directing The Director Internal Audit should provide directives and written policies and procedures to guide Audit staff. Directing involves undertaking certain activities to provide additional assurance that plans are carried out and that systems operate as intended. These activities include issuing instructions to staff. The form and content of written policies and procedures should be appropriate to the size and structure of the Audit unit and the complexity of its work. Controlling The Director Internal Audit should establish and maintain a system of supervision and control (including a quality assurance program) to evaluate the operations of the Audit unit and provide reasonable assurance that required results will be met in an efficient and economical manner. Section 3 - Audit and Compliance Committee Charter Introduction The Audit and Compliance Committee Charter provides details of the Committee's membership, purpose and responsibilities. It was last approved by the Council on 20 February 2008 (C 20/08). The document may be found on the Curtin Committee Document System Website (University Committees Terms of Reference): Audit and Compliance Committee Charter. Part 2 - Personnel & Administration Section 4 - General Procedures Commencement of an Audit Audits are to be commenced and conducted only at times when, at the auditor's discretion, they will cause the least inconvenience and disruption to the normal activities of the Faculty/School/Department/Area. All audits should be preceded by an initial email notification of the audit's commencement and one or more entry interviews where the scope and objectives of the audit are discussed. The auditor should also consider meeting with the prime auditee of the auditable area prior to issuing the email notification, if there is any possibility that problems may be experienced in obtaining management support for the audit to be undertaken. The auditor should later formulate a letter of engagement which confirms with the auditee, the matters discussed at the entry interview. Conduct of an Audit Auditors are to arrange a suitable position in the office in which to conduct their work. Due care of University property and records is to be exercised and the confidentiality of records and security of value items is to be maintained by the auditors. Auditor working documentation and materials, and University records, are not to be carried loosely but in folders or brief cases. Section 5 - Personnel The Auditor The auditor's role involves the critical reporting of deficiencies in the University's system of control and management of business risk. This can sometimes upset or cause dissatisfaction amongst management and staff. People in authority have the added responsibility of setting an example to others. Other University staff expect auditors not only to know the correct procedures but to exhibit a certain level of behaviour, particularly if the auditor is in a position to be reporting on where work doesn't meet an acceptable standard. The following points may act as a guide to the level of behaviour which is expected of new Audit staff: Approach - auditors, like their auditees, are all members of the same institution and shouldn't set themselves apart or appear to be aloof. Audit is a management tool in the overall organisation of the University and its function is to assist rather than to hinder. Audit staff are to be friendly and fair in their approach but, at times, need to be firm in exercising their authority - particularly if other staff members are reluctant to give positive assistance. Work Knowledge - The whole basis of the auditor's work centres around determining weaknesses in control and management of risk. In order to be appointed to Internal Audit, officers must display a certain level of experience and competence. It is the auditor's responsibility to ensure that he/she refers, as often as is necessary, to the University's policies and procedures, individual Faculty/School/Department/Area procedures manuals, user guides and any statutes/regulations which may be applicable. Internal Audit area - Organisation Structure An organisation chart of the Internal Audit area is available at Appendix 1. Security of Documentation It is most important that University records and property in the care of auditors be adequately secure at all times whether in the office or in transit. Auditors shall ensure that: audit files, when the auditor is in the field, are suitably housed overnight and not left on desks; personal computer equipment and backup diskettes/CDs are not left unsecured while the auditor is away from his/her desk; any University documents, files, reports or papers of any nature are not taken outside the building unless in a suitable envelope, parcel or briefcase. Audit staff who are required to take PC equipment, working papers or reports to their home prior to commencement of (or during) an audit must ensure that this property is not left in motor vehicles overnight. Section 6 - Administration Audit Manuals The Internal Audit area will maintain various Acts and Statutory Regulations, as required. However, much of this information is now readily available on the web. The Internal Audit area will maintain the following internal documentation: Audit Policies and Procedures Manual (which is stored electronically on the Internal Audit website, and has been developed in HTML format). This manual determines the standard expected of auditors in discharging their audit responsibilities Other technical auditor information (which is stored electronically on the LAN in the appropriate directory e.g. running CAATs). Amendments to the above documentation are to be authorised by the Director Internal Audit. Area Expenditure All drawings made to recoup expenses paid during the course of an Audit, for interstate travel or external training, are to be compiled personally by the auditor for authorisation by the Director Internal Audit (or relevant support administrative staff). Copies of all supporting documentation, including receipts, vouchers etc, are to be filed in the relevant administration area of the Office within which the Internal Audit Area operates. Management Reporting Each quarter, the Director Internal Audit is to submit a report to the Director's administrative supervisor outlining activities carried out by the area for the previous quarter. The information contained within this report will also form the basis of the Internal Audit update paper presented to Audit and Compliance Committee (The Director Internal Audit is required to attend Audit and Compliance Committee meetings, as required, to discuss activities performed by the Area for the previous quarterly period). Retention of Audit Documentation Supporting documentation for audits conducted by the area is to be retained as follows: Working Papers: When an audit file becomes full, the working paper contents (other than documentation for the last audit) may be removed and archived, but only if they refer to audits conducted prior to the current University financial year and only if they refer to audits that had the same scope and objectives as the most recent audit on file. Permanent Papers: The contents of a Reference File may be updated/replaced at any time during an audit. The retention time for audit records is in accordance with University recordkeeping procedures. Section 7 - Time Usage Analysis As a means of providing information for analysis of time usage, it is required that each auditor maintain records of time spent on activities during the day (refer to Appendix 2 for a sample form). The Time Recording Sheet (a computerised spreadsheet) is to be completed each day and handed to the Director Internal Audit midway during each month and within one working day after the end of each month. Auditors are required to record time spent on each individual activity by key task/category/milestone as specified in Part A of the Field Audit Plan. The minimum unit of time to be recorded is 0.25 hours (15 minutes) in a 7.5 hour working day. In calculating administration (non-productive time), the auditor should first determine hours spent on each assigned project and other tasks during a working day; the remaining hours should then be allocated as administration to make up 7.5 hours in total. The timesheet is to be updated each day and figures accumulated on a calendar month basis, with final actuals being carried forward from the previous calendar month. Any necessary totalling of figures is performed automatically by the spreadsheet software. The Director Internal Audit is to ensure that, on a monthly basis, totals are transferred from the computerised timesheets to the Audit Progress spreadsheet (which reports annual budgeted time against actual hours for scheduled audits). Part 3 - Audit Planning Section 8 - Planning General The Director Internal Audit should establish plans to discharge assigned responsibilities as laid down in the Charter. Such planning involves a systematic approach to the setting of objectives and goals, the selection of an appropriate strategy and planning approach from various alternatives, and enables measurement of the achievement of the unit's objectives. The total audit planning process involves the establishment of: a Strategic Audit Plan which is the identification and documentation of auditable areas within an Audit Universe, and the prioritisation of these areas for review based on a predetermined risk assessment methodology; an Annual Audit Plan which sets out the planning of individual audit assignments over one financial year; and a Field Audit Plan which determines the scope and parameters for each individual audit. Section 9 - Strategic Audit Plan General It is Internal Audit policy that a Strategic Audit Plan shall be maintained. The plan will be designed so that all major auditable areas of the University are considered and risk ranked before audit resources are assigned to selected tasks. The plan will be developed by the Director Internal Audit, or an auditor delegated the task (with ultimate approval by Director Internal Audit), on at least a yearly basis. Purpose The Strategic Audit Plan serves the following purposes: As an Identification of Auditable Tasks. A strategic plan highlights the key activities in the organisation to be reviewed. It can thus provide assurance that no significant auditable area has been overlooked. A well-constructed and dynamic strategic plan provides tangible evidence of management commitment to audit coverage as part of the organisation's overall system of internal control. Justification of Resources. A strategic plan, when accepted, can support Audit management's requests for establishing staff levels and in determining associated budgets. Management Participation. Management overview of the strategic plan will ensure that Audit's assessment of relative priorities accords with that of management. Accountability. A plan allows the comparison of work completed to work scheduled and is an important link in the accountability chain. Direction and Control. A well-structured, long-range strategic plan, with regular reports to executive management, is an indicator of a well-organised and administered Audit unit. Liaison. Communication of long-term plans can facilitate working arrangements with all other review activities, including external audit. Developing a Strategic Audit Plan A Strategic Audit Plan is established by: identification; risk ranking; and prioritisation of auditable areas (within the Audit Universe). While the Audit Charter defines the responsibilities of the Audit function in broad terms, Audit management should possess sound knowledge of the organisation's activities in order to document the auditable areas. Identification of Auditable Areas The Audit Universe of auditable areas must consider all major University operations, systems and computer environments. To this end, Audit management must seek relevant information from a variety of different sources e.g. Executive management Line management Organisational strategic and operational plans User Guides, Procedures Manuals, and other departmental documentation Audit staff Previous audit results The University's Risk Map Top 10/20 projects (IT or otherwise), as provided by the Chief Information Officer and other areas of the University. The Audit Universe is held on the LAN in: J:\ODVC\PQ\AUDIT\OPERATIONAL MANAGEMENT\Planning within a further subdirectory referring to the financial year in which the Universe is updated. Each year, the current year's Audit Universe should be used as a starting point for the new plan i.e. copy and rename last year's Universe before performing any updates. Risk Ranking Having identified the total set of audit tasks within the Audit Universe, it is now necessary to individually rank and prioritise these tasks so as to ensure that Audit resources are allocated to where they are most needed. This is done by employing a suitable risk assessment methodology e.g. aligning the Audit Universe with the University's Risk Map, or using a range of weighted risk assessment factors such as Criticality, External Factors, Management Competence. In either case, the expected outcome is a sorted and prioritised list of audits ready for input into the Annual Audit Plan. NOTE: The Strategic Audit Plan reflects the risk profile of the organisation at one specific point in time. It needs to be dynamic, as during the year: new auditable areas may be identified; existing auditable areas may disappear; and new risks may be identified or existing risks may change in terms of their probability and/or impact. Section 10 - Annual Audit Plan General Prior to the commencement of each new financial year, the Strategic Audit Plan will be updated and an Annual (Operational) Audit Plan developed. This plan indicates audit coverage within the constraints of available resources for a period of one financial year. The plan will be developed by the Director Internal Audit, or an auditor delegated the task (with ultimate approval by Director Internal Audit), after due consideration by the external auditors and Executive Management. The total Annual Plan for the area is submitted to the Audit and Compliance Committee for review and approval, prior to the commencement of the new financial year. Considerations for Planning Not all of the auditable areas identified and risk ranked in the Audit Universe will be covered in the Annual Audit Plan. The availability, skills and knowledge of available internal audit resources, the ability to outsource or co-source audits, and the scope and objectives of each audit are factors affecting the selection of any one audit in the final operational plan. With regards to scope and objectives, typical examples are: Preliminary Review - no audit testing required. New Audit - audit program development and audit testing required. Existing Audit - audit program update and audit testing required. A 7.5 hour working day will be used in determining duration of audit assignments. Consideration will have to be given to administration (non-productive) time each working day. Administration caters for toilet breaks, phone calls, Christmas lunches etc. In assigning audits to staff, the Director Internal Audit should: reserve a proportion of time to meet ad hoc management requests or undertake special investigations, and be involved in major University projects; make appropriate allocations of time for two or more auditors to work on the same audit; ensure auditors are adequately rotated on audits to minimise reliance on key persons and increase skills and knowledge across the team; and determine availability of working hours for each employee ONLY after first calculating total non-worked time e.g. annual leave, long service leave, sick leave, training, study leave/exams and non-productive administration time. In addition, the Director Internal Audit will ensure that agreement is reached with management on the timing of each proposed audit, and its scope and objectives, prior to the Annual Audit Plan being approved by the Audit and Compliance Committee. A special form has been developed to facilitate this: the Audit Budgeted Hours Estimate Sheet - see Appendix 20. Planned Audits Spreadsheet As part of the development of the Annual Audit Plan, a Planned Audits spreadsheet will be set up showing the tasks allocated to each auditor and the time estimated for each task. The schedule should also indicate other (non-project) work time and miscellaneous nonworked time. The initial plan is held on the LAN (J:\ODVC\PQ\AUDIT\OPERATIONAL MANAGEMENT\Planning, within a further subdirectory referring to the financial year in which the plan is initially developed). At the commencement of the new year, it is to be copied into the Audit Progress subdirectory J:\ODVC\PQ\AUDIT\OPERATIONAL MANAGEMENT\Monitoring, and renamed to reflect the first month of the new year. At the end of each month during the financial year, actual hours worked on audits will be transferred to the Audit Progress spreadsheet enabling comparisons to be made between budgeted time and actual time spent. The spreadsheet is to be copied and renamed each month using a three char. month name to distinguish each version e.g. actuals for May in the 2005 year will be recorded in 2005budmay. Section 11 - Field Audit Plan The first stage in performing any work of a professional standard is to plan the sequence of tasks to be completed. This ensures that resources are appropriately allocated to performing the tasks, within the specified budgets. It is particularly important that the auditor, in determining the scope, objectives and timing of work to be done on a planned audit takes into consideration the information that was gathered during the previous audit planning cycle for that audit via the Audit Budgeted Hours Estimate Sheet - Appendix 20. It is Internal Audit policy that prior to performing any audit testing, Part A of the Field Audit Plan (Appendix 6) should to be completed and submitted to the Director Internal Audit for approval along with the: Engagement Letter (Appendix 9); Proposed Audit Program of tests (Appendix 16); and Risk and Control Analysis, where applicable (Appendix 14). However, as each audit is different, the above documents may be submitted to and reviewed by the Director at different times leading up to the audit testing phase. Part B of the Field Audit Plan document should also be updated with relevant information upon completion of the audit and handed to the Director Internal Audit for final sign-off. The Field Audit Plan and accompanying documents enable Audit management to ensure that work performed meets accepted standards and audit objectives and is carried out in the most economical and effective manner. Part 4 - Audit Methodology Section 12 - The Audit Cycle - Summary Introduction The process of performing an audit has several stages. These are collectively referred to as the Audit Cycle. This covers all aspects of an audit from the initial plan to final resolution of all matters raised: Planning; Review and Evaluation; Verification; Reporting; and Follow-up. A short explanation of each phase appears below. Planning A pre-requisite for an efficient and professional audit is an adequate plan. The amount of work involved in planning may vary considerably, depending upon whether or not the audit has been performed before. An integral part of this planning is the entry interview (where the scope and objectives of the audit are discussed), and the engagement letter (where the outcome of the entry interview, and other audit planning related matters, are confirmed with the auditee). Review and Evaluation In this phase, the system or operation is reviewed and documented, risks and controls identified, and a preliminary evaluation of the adequacy of these controls performed (refer to Section 13 for more information on the Risk and Control Analysis process). From here, an audit program is developed or an existing audit program modified (refer to Section 14 for more information on Audit program development). Verification During this phase, the audit program is followed and assessments made based upon the results of further investigation and testing. Refer to Sections 15-17 for more information on the style and contents of working papers maintained. Reporting At the end of the Verification phase, findings are documented, together with appropriate audit recommendations, in report form for later discussion with the Auditee during the exit interview (refer to Section 18 for more information on Audit Reporting). A draft copy of the report is sent to the auditee (management) to gain final clearance on matters raised (via written management comments). Upon receipt of management comments, the comments are included within the body of the report and an audit opinion determined and inserted in the Conclusion section, prior to publication. The report is issued, and 2-3 days later, an Audit Client Questionnaire Form is issued requesting feedback from the Auditee on the Auditor's performance. Follow-up On a six monthly basis, a follow-up report is issued by the Director Internal Audit on all outstanding matters reported during prior audits. The status of action taken on each item is noted, and items are carried forward until all action is complete. This issues reported as being outstanding at the end of the follow-up process are reported to Audit and Compliance Committee (this occurs twice a year). Section 13 - Risk and Control Analysis (RACA) Audit Assignment The assignment of staff to individual audits may differ to the original schedule developed in the Annual Audit Plan, however, this should not hinder the achievement of the total Plan. Risk and Control Analysis (RACA) All audits undertaken by the Internal Audit area will be business risk focused. The assigned auditor will decide, in consultation with the Director Internal Audit, the best approach for the assigned audit. Where feasible, a Risk and Control Analysis (RACA) approach should be adopted. Where such an approach is not adopted, the auditor will need to be able to prove that no low risk areas have been included, or high risk areas excluded, in the final audit program developed to test the auditable area. The objective of the RACA is to: identify, within the auditable area, the major business risks to the University; analyse these risks (in terms of their likelihood and consequences); assess how management is controlling these risks; conclude on the action to be taken in terms of audit testing of identified key controls; and identify any residual risks to be reported. The RACA should be completed/updated in conjunction with, and approved by, the relevant University Risk Owners. Any residual risks identified during the RACA process may be documented immediately on the draft report for future communication to management at exit interview (or, if important enough, during the course of the audit field work). If the Business Risk Owner is immediately made aware of these deficiencies, he/she may undertake to immediately correct them or plan for their future correction. Refer to the computerised RACA form in Appendix 14. The main fields to be input on this form are as follows: Business Activity, Function or Area refers to a distinct component of the Auditable Area (depending on the type of audit, this may be exactly the same as the Auditable Area). It does not specifically refer to a component of an audit program of tests. Risk Owner is the head of Office/Faculty/Department/School/Area responsible for addressing the identified risks. Risk No. is a unique number identifying a risk within a defined Business Activity, Function or Area. What Can Happen refers to a specific identifiable business risk. Consequences provides a more detailed description of how the University could be affected should the risk eventuate e.g. loss of income, inaccurate financial information. Likelih. Rating is a 1 character numeric code (from 1 to 5) signifying the likelihood of the risk occurring in the University. Cons. Rating is a 1 character numeric code (from 1 to 5) signifying the impact on the University should the risk eventuate. Risk Rating refers to the degree of intensity of the identified risk, determined by multiplying Likelihood by Consequences. The field is to be manually calculated in the spreadsheet as either "E" (Extreme Risk), "H" (High Risk), "M" (Moderate Risk), or "L" (Low Risk). The second page of the RACA provides a table (Risk Matrix) which shows how the Risk Rating is calculated based on various combinations of Likelihood and Consequence. Key Controls Currently in Place refers to the key controls currently in place which manage the risk. This information should be gained by discussion with management, review of documentation, observation etc. However, no detailed testing should be undertaken. If there are multiple key controls identified, then separate bullet points may be added to differentiate them. Audit Testing Req? (Y or N) is a 1 character code indicating that the auditor is proposing to test the previously idenified key controls. Residual Risks To be Reported provides information on any deficiencies found in the identified controls which result in some form of unmanaged residual risk that exists. This risk may have to be immediately reported in the audit report, depending on its likelihood and impact on the University. Audit Focus The audit may take one of several different directions, depending on the results of the RACA e.g. Report major and minor findings from the RACA and do no further audit work (because of major exposures noted); As above and develop a basic Audit program covering identified important risks (but perform no testing). As above and perform audit testing. After finalising the Field Audit Plan and gaining the appropriate approval to proceed, the auditor should undertake the required field work and draw off the Audit Team for advice or to resolve problems. Any need to exceed assigned budgeted hours because of the time taken to complete the RACA must be referred to and approved by the Director Internal Audit. Section 14 - Audit Programs Standard It is Internal Audit policy that, before detailed audit testing is undertaken, an audit program should be prepared - refe to template in Appendix 16. programs may cover more than one auditable area (if these areas are clearly inter-related) but must be structured so that different auditable areas can be covered separately. In circumstances where a number of auditable areas are covered in one program, the program must make provision for a summary assessment covering all included areas. The audit program is based upon the Risk and Control Analysis (or an equivalent Control Analysis exercise performed during the Review and Evaluation phase), though there are occasions where standard audit programs may be employed e.g. for IT technical audits. It is reassessed and updated during each subsequent performance of the audit. The program is thus a working document used as a guide to the auditor and subject to amendment as appropriate. Structure The audit program is made up of several sections. Front Page This is always the first section of the audit program. It has the following components: Audit Objectives - the primary (and perhaps secondary) objective for the program as a whole. Any summary assessment of the audit will be based on the achievement of this objective. Audit Scope - the scope of activities to be included or excluded. Index - a list of control sections and their subsections included within the audit, in alphabetical order commencing with "1. General". Control Sections For each major control area identified for the auditable area under review, a section of the audit program is established. Each control section must have one or more summary control objectives and a list of audit tests to be performed in association with these objectives. In classical systems-based audit theory, these tests should be identified with both substantive and compliance testing; i.e. to test both that the system operates as described and that it operates correctly. Upon completion of the audit testing in any one control section, the auditor will be able to conclude, based on the results of the testing performed, whether management is achieving/has achieved the stated control objectives. Each audit program will have a standard section, at the beginning, called "General". This section requires the auditor to do the following: list the recommendations to major findings from the previous audit in the working papers (and the most recent management response to each recommendation) and verbally verify, with the auditee, that the matters have been addressed or are being addressed. Where a particular issue will, for whatever reason, not be covered during the current audit, sufficient audit testing must be performed in this step to verify management's response; and review all related external audit management letter issues raised in the current and previous financial year (whether cleared or outstanding), then orally verify, with the auditee, that the matters have been addressed or are being addressed. Where a particular issue will, for whatever reason, not be covered during the current audit, sufficient audit testing must be performed in this step to verify management's response. Audit Performance It is Internal Audit policy that the audit program will be followed exactly, except as determined by the Director Internal Audit or Senior Auditor supervising the audit (where applicable). The Director Internal Audit must approve any deviation from the program, where limited time is a factor. Prior to the audit work being undertaken, the Director Internal Audit will approve the audit program, including any specified changes or exclusions to the program steps. Communication with Auditee During the course of audit work, the auditor will communicate matters of significance with the auditee to minimise the possibility of "surprises" at the end of the audit. This may be done informally (e.g. emails, discussions) or via formal meetings. Section 15 - Working Papers - General Structure The working papers document a system, operation or process and any audits performed on it. They contain the records of preliminary planning, the Risk and Control Analysis, the audit program, and the results of the work. Working papers are prepared from the beginning of the first audit assignment in an area and are added to and altered throughout the course of each subsequent audit. They are continuously maintained documentation of audit activity. Working papers are of two types - permanent and current. The permanent working papers, known as the "Reference File", contain historical and relatively static descriptive material. The current working papers (or simply "working papers") contain records of audits carried out. Rationale The auditor prepares working papers for a number of different purposes: Reference File As the repository of the system descriptive information obtained through questioning people, reviewing instructions and directives, analysing systems and procedures and examining transactions. This includes notified changes in procedures and IT systems. To support discussions with operating personnel. Operations can be quite complex. Inter-relations of systems and organisations can be difficult to retain in memory, while documented explanations and charts in the working papers, indexed for ready access, can put the auditor on an equal footing with the people who live with the operations and understand them intimately. Current Working Papers To identify and document deficiency findings, and accumulate evidence needed for determining the existence and the extent of the deficient conditions. To help perform the audit in an orderly fashion coinciding with the audit program; to document what has been done; to indicate what is still to be done and give reasons for what will be left undone. To provide support for the audit report. Well-structured working papers make it easy to transfer the material written during the audit to the pages of the final audit report. The auditor can develop discipline that moves both the working paper documentation and the audit report on the same assembly line, minimising any rephrasing and restructuring and ensuring that the points raised in the report are covered by the working papers. An experienced auditor has the structure of the final report in mind throughout the entire audit project. It helps keep the work relevant and pointed in the right direction. As a line of defence when conclusions and recommendations are challenged. Criticism, expressed or implied, is rarely taken kindly. It leads to challenges from the one criticised and such challenges must be rebutted with facts and proof. The working papers, properly developed and referenced and readily accessible, lend support to the auditor and give a feeling of security. As the basis for supervisory or peer review of the audit progress and accomplishment. Review of the audit project should be current and continual. The working papers, as evidence of work done and to be done, are much better indices of accomplishment than unsupported oral assertions (which may easily become general, distorted or superficial) and can materially benefit the audit. A review of work progress is seriously diminished in value if it is based only on conversation with the auditor. As a basis for appraising the auditor's technical ability, skills and working habits. Audit proficiency is clearly mirrored in the documentation of work and support for conclusions. As background and reference data for subsequent reviews. Audit projects may be repeated or followed up. High quality working papers make the repeat much easier and more economical. The subsequent review may therefore build on the earlier one. Section 16 - Current Working Papers General It is Internal Audit policy that current working papers on each program will be completed and presented in the following format (one set for each performance of the audit): Working Papers Index (Appendix 3). Review Notes (Appendix 5). Planning i.e. Initial Email notification of audit commencement (Appendix 10), Field Audit Plan (Appendix 6), Audit Checklist (Appendix 8), and Engagement Letter (Appendix 9). Audit Report and Memoranda - Major Report Draft Cover Page (Appendix 11), Audit Summary Covering Memorandum (Appendix 11B), Major Audit Report (Appendix 11), Minor Audit Report (Appendix 13) and Audit Observations (Appendix 13A). Note that the Major Audit Report will only include "E", "H" or "M" risk issues, while the Minor Audit Report will only include "L" risk issues. Risk and Control Analysis (Appendix 14) / Audit Program (Appendix 16) Audit Working Papers (Appendix 17). Appendix Cover and supporting appendices (Appendix 18). The Audit Planning documents (excluding the Audit Checklist), Risk and Control Analysis, and Audit program are usually completed before the audit field work commences. The PANA, Working Papers, and Appendices are prepared by the auditor while the audit is being conducted. Towards the end of the audit, the Audit Findings will be developed including the Audit Observations. At the end of the audit, the Audit Report Grade, Conclusion, Scope and Objectives and two standard appendices (showing the standard Audit Report Grading system and Risk Rating system) will be compiled - at this point, the report is ready to be issued. The Audit Checklist is a mandatory document that is referred to and completed during the course of the audit. Each page of the working papers must be signed and dated by the auditor when it is complete. Working Papers Index The Working Papers Index should always be on page one of the workpapers. This index should contain ticks to indicate sections that have been performed by the auditor. Upon completion of the audit, once the review notes have been addressed, the reviewing officer will sign off the working papers on the Index Sheet. Review Notes These notes will be compiled on the relevant form by the reviewing officer prior to any report being released, and will request clarification/explanation of the work completed. Any work by the auditor on the review notes will receive priority and will be recorded in the body of the working papers. Audit Planning This section will contain the following documents: Initial email notification of audit commencement; Field Audit Plan document (Parts A and B); Audit Budgeted Hours Estimate Sheet (if available); Audit Checklist; Engagement Letter; and Other correspondence or notes associated with the development of the audit plan e.g. memos or emails. The Field Audit Plan facilitates the planning process at the individual field audit level (refer to Section 11 for more detail). The first page of this form (Part A) is completed before the field work commences, and the final page (Part B) is completed upon completion of the audit. The Audit Checklist is a detailed guideline of activities to be performed by the auditor during the course of an audit. It serves as a reminder of the tasks to be performed and their order of completion. The Engagement Letter summarises the scope and objectives of, approach to, and an estimate of time for completing, a particular audit. The Audit Budgeted Hours Estimate Sheet provides information obtained on the scope and objectives of the audit, during the audit planning cycle undertaken in the previous year. Audit Report and Memoranda This section will include a copy of the official audit report issued to the Executive Manager and his/her direct reports by the auditor through the Director Internal Audit. The Audit Observations will also be included here, along with other memos (including correspondence on minor items and action memos) and any extra correspondence received/raised during the course of the audit. Note: Prior to the final report being compiled, the Auditor may develop a set of Audit Observations (Appendix 13A) which will contain information on observations made during the course of the audit work, and associated evidence to support observations. These observations may not necessarily be raised as report findings, but are for discussion with auditees to ensure they are kept informed of matters arising from the audit that have potential to be reported (and to eliminate any erroneous or incorrect findings at an early stage). The observations may be progressively accumulated during the audit, but must be discussed with management before the final working paper file is submitted to the Director for review. As there may be many changes arising from these matters being brought to the attention of management, it is not necessary (or even feasible) to align each matter raised in the Audit Observations sheet with those in the final draft report and working papers. Points For Attention at Next Audit This section will be completed, on the relevant form, for any points that need to be highlighted at the next audit. It provides a mechanism whereby appropriate follow-up action can be initiated and, for this reason, the form should be referred to before the next audit of the auditable area for which it was completed. Examples of points which may be listed for attention at next audit are: selected items which could not be located for checking at the time of audit; and any other matter which could not be properly dealt with at the time of audit and requires or merits attention at the next audit, including program steps not performed. Each item listed should be linked to an audit program step in the appropriate column and be referenced to supporting documentation or any other relevant part of the audit file as appropriate. The reviewing officer is required to approve each item reported on this form. Risk and Control Analysis The Risk and Control Analysis (RACA) process is described in Section 13. This form is used to identify the major business risks to the University and the ways in which management is controlling or managing those risks. Audit program A copy of the audit program will be included in the audit file. The auditor's initials and date of work completed columns are to be entered against each test step or group of test steps to: verify that all tests have been completed; and identify the auditor responsible for completing that part of the audit. The program should be progressively initialled and dated by the auditor(s) as the audit is being conducted. Audit Worksheets This will be the bulk of the workpapers and will be prepared while the audit program is being executed. The contents of this section will vary greatly from one audit to another, however, in general terms it should record the full detailed results of the audit. Each program step completed should be referenced on the left hand side of the worksheet (e.g. 2.1, 7.3 etc) and the actual test or work described in narrative/tabular form, with appropriate references (where necessary) to supporting documentation in the appendices. Each step described in the worksheet should have, incorporated within it, statements of any conclusions reached (and the validity of these statements should be self-evident from the documented findings). Upon completion of an audit section, the overall conclusion for the section should be determined and documented immediately after the last program step on the worksheet. This overall conclusion should be documented as a separate paragraph with its own heading "CONCLUSION" and should indicate whether the control objectives for the section have been attained. Each audit program step documented on the worksheet should have an appropriate unique finding reference number placed in the right hand column where a finding is to be documented as a major or minor report item e.g. FND#2, FND#4 (this is usually performed at the completion of the audit when all of the issues identified during the course of the work can be considered). Supporting Appendices All Appendices will be listed, in alphabetical or numerical order, on an Appendices Summary Sheet located immediately before the first Appendix on file. All supporting documentation will be placed at the end of the working papers and referenced appropriately. This documentation includes copies of actual forms, documents or report pages used to support findings in the worksheets. In addition, large tables of tests performed should also be documented and inserted here to avoid excessive detail in the worksheets. Section 17 - Reference File Standard It is Internal Audit policy that, for each auditable area reviewed, a file of static or permanent information will be kept. The Reference File will contain information such as system description, design committee minutes, executive submissions etc which are historic in nature or do not alter appreciably from audit to audit. Material such as full procedure manuals, handbooks or user guides should not be incorporated within the Reference File. A reference to their existence should be made in the appropriate section of the file. It is the responsibility of the auditor performing an audit to ensure that system description information is brought up-to-date. Historical information such as minutes or correspondence will be maintained by the auditor with overall responsibility for the area. Structure The general Reference File structure is set out below (Appendix 19). Constraints upon the System or Function References to legislation, internal regulations. External Standards (common practices). Policy Decisions (including original submission and approval). Implementation committee minutes and decisions. Functional/System Description Organisation charts and job descriptions. System description (overview). Detailed flowcharts or data flow diagrams. Computer system specifications. Descriptions of operations. Procedures. Standard Forms. Example Reports. Online Screen Layouts. Miscellaneous This section should be indexed separately so that the relevance of its contents can be seen. It could, for example, include schedules of the type of data handled by the system, a schedule of assets or various statistics to support sample sizes selected. Section 18 - Audit Reports Philosophy At the conclusion of every audit project, a formal report to management will be issued see template in Appendix 12. The purpose of such a report is to give University management the auditor's assessment of the reviewed area. This assessment will include major deficiencies and action to be taken to correct any problems. It is Internal Audit policy to report in detail only deficiencies. This does not preclude a complimentary assessment, but such an assessment would be part of a more general statement rather than treated in detail. The report is to University management and must include only major items. More importantly, the readers of the report must be left in no doubt as to the agreed or required action. A major item is defined as one whose risk has been classified as either "E" (Extreme), "H" (High) or "M" (Moderate) only. Audit Report Structure The standard report structure is in three main sections: Audit Report Grade is displayed on the front page of the report, and is selected straight from Appendix 1 in the final report (which is a standard appendix contained in each major audit report issued). RED signifies an unsatisfactory control environment i.e. findings indicate significant control weaknesses and the need for urgent remedial action. Where corrective action has started, the current remedial action is not, at the time of the audit completion, sufficient or sufficiently progressed to address the severity of the control weaknesses identified. AMBER signifies an adequate control environment, but subject to reservations i.e. a number of findings, some of which are or could become significant, have been raised. Where action is in progress to address these findings and other issues known to management, these actions are at too early a stage to allow a satisfactory audit opinion to be given. GREEN signifies a satisfactory control environment i.e. findings indicate that, on the whole, controls are satisfactory, although some enhancements may have been recommended. There are no hard and fast rules for determining the Audit Report Grade, however, the risk rating of the audit findings reported will naturally help determine the final outcome e.g. the presence of one to two extreme level risks may be sufficient to grade an audit as RED. Immediately before the issue of the final report, the main auditees at Executive level are to be informed of the proposed grade of the audit report. This is done by the Director Internal Audit via email or via face-to-face discussions. If the Audit Report Grade is to be RED, then immediately before report issue to Executive Management, an unsigned draft copy is to be provided to the Vice Chancellor for his/her perusal. Usually, the Vice-Chancellor is permitted one week to review the draft report and provide any comments back to the Director, prior to issuing the final report. Executive Summary provides a summary of the audit performed and includes standard sections describing the audit objective and scope (which should align with the audit objective and scope detailed in the Engagement Letter), list of findings raised and audit conclusion (which provides the high level justification for the audit grade reported on the first page of the audit report). Audit Findings should be inserted in a separate table, with the following information: o Major Audit Finding No. - a unique number indentifying the finding. o Cause - details the cause or causes of the finding. o Risk Consequence (Description) - details the consequence to the University should the underlying risk not be minimised, treated or eliminated. This links to the Risk Consequence rating below. o Finding - provides a concise description of the finding. o Risk Likelihood , Risk Consequence and Risk Rating - provide a quantitative assessment of the risk arising from the reported finding. These are explained further in Appendix 2 of the report (which is standard appendix contained in each major audit report issued). o Audit File Ref. - one of more references to findings located in the working papers. o Audit Recommendations - Internal Audit's recommendations to address the findings raised. o Management Action Plans - management's response to Internal Audit's recommendations. o Target Date - management's indication, in association with their formal response, as to when the matter will be cleared. The Reporting Process Major Reports All major reports must be issued to the relevant Executive Manager(s) and Audit and Compliance Committee members. A copy of the major report should be emailed (in secure form) to the Office of the Auditor General. The final report will be in colour, and multiple colour copies must be produced for each officer on the distribution list. Each of the final copies must be signed by the Auditor, and put through the Director Internal Audit who will initial them. In some cases, audit reports will also need to go through a Senior Auditor before being initialled by the Director. A signed colour copy of the final major Audit Report should be placed on the Working Paper file (along with a signed copy of the Minor Audit Report, if it exists - see next section). A signed colour copy of the final Major Audit Report must also be produced and placed in the yearly Audit Reports File located in the Director Internal Audit's office. The Auditor is required to electronically transfer a copy of the final Major Audit Report file to the following two LAN subdirectories: For Audit Follow-up purposes: to J:\ODVC\PQ\AUDIT\COMMITTEES\Reporting\Audit and Compliance Committee\Outstanding Issues Followups\Internal Audit\New IA Reports - for inclusion in Audit followup. For permanent electronic storage in the Audit Repository: to J:\ODVC\PQ\AUDIT\PUBLICATION\Reporting\Internal Audit Report Repository Minor Reports The Audit Reporting Process may also also involve the issue of a Minor Audit Report Deficiencies found during an audit are not necessarily important enough to report to Executive i.e. "L" (Low risk) items. These should be reported in writing to appropriate departmental managers by means of a standard office memorandum, upon completion of the audit (Appendix 13). The memo may be signed by the auditor without any further review or signoff by audit management. Interim Reports During the course of an audit, matters requiring immediate attention may arise. Rather than wait for the completion of the audit, an interim report (Action Memo) stating the deficiencies, causes, risks and recommended action (if any) should be issued. The matters so raised, and their resolution, will still be reported in the final report. Special Reviews Internal Audit may be called upon to perform a special review. The report from such a review should follow a standard format, which may be modified to suit the circumstances of the review. The preferred format is included in Appendix 23. Deficiencies Unrelated to a Current Audit Similarly, matters unrelated to the current audit project may come to an auditor's attention. If these matters are of significance to Executive or if the auditor believes that the resulting exposure is serious, a formal report (Action Memo) should be issued. A final resolution of matters raised need not appear in the final report. Periodic Reporting The Director Internal Audit reports audit activity to the Audit and Compliance Committee on a quarterly basis. Section 19 - Working Paper Review Introduction Working papers are to be reviewed by the nominated reviewing officer, usually the Director Internal Audit. Interim reviews of completed sections of uncompleted audits should be performed by the reviewer to allow for timely rework if necessary (rather than waiting for the entire audit to be finished). The working papers file, including the draft report findings and Scope and Objectives (but not the Audit Report Grade and Conclusion), is to be handed to the reviewer prior to the exit interview. Once the review has been completed and queries resolved, all documents are to be filed on the working paper file. Procedures All working papers must be reviewed to ensure that the audit has been adequately conducted and documented. The reviewer must sign each worksheet (excluding appendix documents) as evidence of review. Queries raised by the reviewer will be included on the Review Notes form and referred to the auditor for answers. No working papers will be considered complete until all questions have been answered to the reviewer's satisfaction. The checklist below is an indication of the aspects which the reviewer will examine before exit interview: Ensure that the audit program is fully signed off. Ensure that audit steps signed off as being "not applicable" are in fact not applicable. Ensure that the program is changed to reflect any system changes. Enquire into audit steps which have not been signed off. Ensure that the `Points for Attention at Next Audit' from the previous audit have been adequately resolved or addressed. Ensure that there is adequate cross-referencing of detail. Confirm that the Reference File has been brought up to date. Check that each finding in the working papers has been accurately brought forward to the report table. Assess if there is sufficient supporting evidence for each matter raised. The checklist below is an indication of the aspects which the reviewer will examine after management comments have been received, inserted in the report, and the Audit Report Grade and Conclusion prepared: Ensure that each major finding reported has been properly resolved or includes a comment from relevant management. Ensure that the draft report has been discussed with the appropriate Department Manager before the final report is released. Confirm that the Report Conclusion written by the auditor properly reflects the outcomes of the audit. Check that all Review Notes have been addressed, then sign them off along with the working paper file. Section 20 - Flowchart Documentation Introduction In many audits, it will be a useful first step to create a flowchart to present an overview of the function(s) in the system to be audited. If there is a flow chart in existence, then the step should be to review, update and improve the chart on hand (which should be located in the Reference File immediately after the System Description). The purpose of flowcharts is twofold: to provide a simplified picture of system/operation function; and to document the control points in a system (via the Risk and Control Analysis). It is important therefore that an appropriate balance between detail and simplicity be established. A complex flowchart is difficult to understand and update; it is therefore likely to be of little use to anyone other than its original author. The use of narrative to clarify charts is encouraged but charts are not an appropriate place for long descriptions. A flowchart is a graphic representation of relationships, of flows of information or documents. A single chart should not be made to perform all functions. Section 21 - Audit Sampling General Audit sampling is a method by which an auditor can draw conclusions about the whole of a group of items (the "population") by examining some of them ("the sample"). Testing Template Auditors will use the Internal Audit area's standard audit testing template (Appendix 7) to determine sample sizes, based on population and risk, and to draw conclusions as to what is happening in a population of audited items. This template details: test to be performed; who performed the test; date of testing; what population the sample was selected from; why the sample size was selected; who provided the documentation to be tested; any exceptions found; and test conclusion. NOTE: Where the audit period selected is such that the sample size cannot be achieved, the Auditor must exercise his/her judgement in determining what to sample and in what period. It may mean that the whole population in the audit period is selected, plus other transactions outside of the period in order to achieve a reasonable sample for testing, based on the guideline in the template. Sample Selection Once a sample size has been determined, each item to be sampled will be selected on a completely random basis and in such a manner that each item in the population has an equal or known chance of being selected. Part 5 - Major Project Development Audits Section 22 - Audit Objectives General The following guidelines provide Audit personnel with direction in respect to the audit activity to be undertaken during major project development in the University. These guidelines have been separately documented because of the unique nature of audit involvement in the project development process. These guidelines are not, however, intended to restrict any project development audit to a limited set of activities or to impose a precise solution for such an audit. Audit Objectives Auditors will participate in the development of selected major new University projects (providing oral and/or written input and advice as required), with the objective of gaining assurances that business risks are identified and managed and suitable controls implemented. Section 23 - Audit Approach General Auditor's will be assigned to major project developments by the Director Internal Audit. The Director Internal Audit will contact representatives on these projects to advise them of Audit involvement. Audit Scope In order to achieve the primary audit objective described above, the scope and degree of auditor involvement on each project will be at the discretion of the auditor. Auditor involvement will, however, be guided by way of a Standard Audit Checklist (Appendix 4) which will be made available to the auditor at the commencement of that auditor's involvement in the project. An auditor's time involvement may be limited or expanded with the prior approval of the Director Internal Audit, after consideration of existing budgeted audit time constraints. Audit Deliverables Auditor involvement on major project development will focus on adding value during the course of the project development, rather than on producing detailed audit documentation and working papers. However, an audit report should always be issued upon implementation of a project (see sample at Appendix 22). The format of this report will be non-standard in that the auditor is not expected to raise new major issues and obtain management recommendations (as such matters should have been resolved during the course of the project). Instead, the report should outline the auditor's involvement, the auditor's conclusion, and list any issues that remain outstanding (but which do not materially affecting the project outcomes). During the course of the audit, it may also be necessary to publish action memos where significant control deficiencies or other issues require immediate management consideration. Section 24 - Major Project Development Audit Working Papers General The auditor will maintain a file of documentation arising from, or produced as a result of, audit involvement on the selected project. This documentation should be structured in accordance with the Standard Audit Checklist referred to above i.e. checklist at the front, followed by published audit report and other supporting papers. It will not be necessary for the auditor to produce written working papers as evidence that the checklist items have been addressed, however, a working paper file, as described above, should be maintained (containing memos, correspondence, documents, plans etc). Section 25 - System Documentation General The system documentation described below may be produced in support of major project development audits undertaken, where considered necessary. This documentation will be produced and maintained on the LAN directories. This documentation is as follows: System Description Flowcharts or Dataflow diagrams Risk and Control Analysis System Description The System Description provides an overview of the system under review. The System Description outlines: input data, media and preparation or transmission locations; the major processes and files used; output data, media and receiving locations; interfaces with other systems; the hardware and software used; any special or unusual features of the system; key controls regarding processing accuracy and authorisation; and management trails. Risk and Control Analysis The Risk and Control Analysis process may be utilised to assess the quality of controls being built into the new system (refer to Section 13 for further information). Part 6 - Audit Evaluation and Performance Section 26 - Audit Client Questionnaire Form General Two to three days after the issue of a major audit report, the Auditor is to issue an Audit Client Questionnaire Form (Appendix 21) to one or more auditees, requesting formal comments on the auditor's performance. The form is to be electronically emailed (with the details of the audit already input on the form) to the Director Internal Audit, who will then forward it to the nominated auditees. The auditee is to formally respond to the Director Internal Audit who, upon receiving the completed form, will provide it to the auditor for his/her information and comment. The Director Internal Audit may follow up issues raised, or any negative comments made, with the auditor, and in some cases, may contact the auditee for clarification. Completed forms will be filed by the Director Internal Audit. Section 27 - Performance Reviews - KRIs and KPIs General Auditor Performance Reviews are to be performed in accordance with University requirements, with a major review being performed each year. KRIs (Key Result Areas) and KPIs (Key Performance Indicators) are to be formulated and agreed with the Audit Team every year, but the comments received via the Audit Client Questionnaure Forms should always be included as a major KPI. Part 7 - Miscellaneous Section 28 - LAN Permanent File Naming Standards - Effective 1 May 2003 General During the course of an audit, the auditor may develop permanent documentation (flowcharts, audit programme, a system description etc) which will need to be retained and updated at the next audit. This documentation is to be stored on the LAN to ensure it is available for the auditor the next time an audit is conducted. Within the Permanent Files subdirectory are further subdirectories. Each of these subdirectories is identified by a two character alphabetic code e.g. MG (for Management and Governance) represents a subsection of the Audit Universe. Therefore, all auditable areas in the MG section of the Audit Universe will have their permanent information stored in the MG subdirectory of the Permanent Files subdirectory. Permanent files will be stored as Word, Excel, ABC Flowcharter etc files in subdirectories, using a standard naming format i.e. XX.YY.FCC, where: XX = the two character alphabetic code representing the appropriate section of the Audit Universe e.g. MG, US, GR etc YY = a unique two digit numeric to identify a separate auditable area within the relevant section of the Audit Universe e.g. MG.10 represents an audit called Corporate Governance and Leadership, SM.10 represents an audit called Library and Information Services etc. F = an alphabetic number that describes the file type i.e. "A" = Risk and Control Analysis "C" = CAATs "S" = System Description "F" = Flowchart "N" = Permanent Notes "P" = Audit Programme "V" = Various other papers CC = two numeric digits, in the range 01 - 99, representing a unique document number Two examples illustrate the naming convention: The audit programme for the audit of the Copyright Act would be stored in the LR (Legislative/Regulatory Compliance) subdirectory of Permanent Files as LR.10.P01, while the Risk and Control Analysis would be stored as LR.10.A01 The audit programme for the audit of Expenditure Controls would be stored in the FA (Financial Activities) subdirectory of Permanent Files as FA.21.P01, while two sets of flowcharts would be stored as FA.21.F01 and FA.21.F02 Section 29 - Important Lan Directories/Files All Internal Audit Area LAN data is stored on J drive. This data is stored in accordance with University recordkeeping standards. The subdirectories of importance are: J:\ODVC\PQ\AUDIT\OPERATIONAL MANAGEMENT\Standards\Internal Audit Administrative Files and Directories. This contains a word file with a list of all important Internal Audit subdirectories and their purpose. J:\ODVC\PQ\AUDIT\OPERATIONAL MANAGEMENT\Standards\Internal Audit Permanent Files. This contains further subdirectories of permanent documentation structured along the lines of the Audit Universe. Part 8 - Other Special Audit Work Section 30 - Audit Certificates General The University may be required to provide signed certificates which set out the disposition of funds provided or obligations undertaken. The most common types of certifications required relate to various grants provided by relevant federal, state and private sector bodies. The University may also be required to provide an audit certificate to an external party in relation to the financial operations of other activities in which it is engaged e.g. Curtin Radio FM 100.1 Western Australian Sateliite Technology Consortium Various internal foundations (created under University statute) Most requirements for certification are governed by contracts, procedure manuals or legislation which set out the format and frequency or certifications as well as defining exactly what is being certified. They can also define who is qualified to sign the certificate. Preferred External Service Providers Where such an audit is required, it is standard procedure (from 1 March 2007) that such work should not be undertaken internally (unless there is a specific requirement for Internal Audit to provide such an audit opinion). This type of audit is not covered within the scope of work described in the Internal Audit Charter. In addition, the provision of audit certificates, particularly to external bodies, may create a legal liability for the University should the opinion offered later be found to be incorrect or deficient. The University has access to preferred external suppliers of such services who will provide a quote for the work to be done (on a fee for service basis). Information concerning these service providers is available on the Strategic Procurement website. Section 31 - Operational / Performance Based Audits (under review) Introduction Operational audits (also called performance audits, value for money audits or comprehensive audits) can be defined as: An examination of financial information and other records for the purpose of reporting on the controls, processes and systems used to manage the entity's resources, money, people, physical assets and information, and in many cases to make comment on the entity's operations in terms of the economy in acquiring resources, efficiency in using resources and effectiveness in achieving objectives. (Introductory Statement on Applicability of Statements of Auditing Standards and Statements of Auditing Practice to Auditing in the Public Sector) Methodology The prime methodology used by the Internal Audit Area to conduct operational audits is based on the Coopers & Lybrand Effectiveness Assessment Reporting methodology (CLEAR). The basis of this methodology is the 12 attributes of effectiveness developed by the CCAF (Canadian Comprehensive Auditing Foundation) It must be stressed that not every stage or activity will necessarily be undertaken in each audit. The decision to include or exclude an activity will need to be discussed during the audit process. The CLEAR Methodology consists of 3 stages; planning, execution and reporting. Within each stage there a are number of phases which are summarised below: STAGE 1 - Planning Phase 1 - Project Initiation Once the go ahead for an audit is given by the manager, the first stage of any audit involves preparing for the audit. The major activities for operational audits are: Informing the auditee that an audit is to be performed This is a matter of courtesy and good audit practice, and follows the existing audit procedures for audit commmencement. Refer to Section 16. The Entry Interview and On-site Tour The purpose of the entry interview is to inform the auditee and their supervisor of the details of the audit and to gain their cooperation and support. Expected involvement of the auditee and their staff is also discussed to ensure plans and schedules consider operational constraints faced by the auditee. A written agenda must be prepared and circulated before the meeting. On-site tours provide first hand observation of the auditee's facilities, equipment, personnel and operations. The objective is to obtain an overview of operations. Document Review The primary purpose is to gather and review critical background information to obtain an appropriate understanding of the area and to scope the assignment. It is important that the review of documents be limited in terms of time as the key is to appreciate which attributes of effectiveness, mission critical job elements, activities and processes are important. The document summary is used as a guide to assist assembling relevant information as well as providing an overview of the information collected and its location. A document review form is used to relate the key information identified in the document review process to the twelve management attributes. Develop the Detailed Project Plan and Timetable Having obtained the auditee's commitment to perform the effectiveness assessment a project plan and timetable should be prepared. As the audit progresses, the plan should be reviewed and updated as required. In addition, the auditee should be regularly informed of the audit progress and any significant variations that impact the conduct and timing of the audit. Completion of key steps of the audit should be recorded on the completion checklist as the audit progresses. Phase 2 - Prioritising the Attributes Workshop The objective of the workshop is to obtain consensus regarding an understanding of each of the twelve management attributes and their relative importance to achieving the strategic vision of the area under review. Arrange the Planning Workshop The purpose of the workshop is to ensure key personnel have an understanding of the management attributes and appreciate the approach being used to conduct the effectiveness assessment. The participants of this workshop should include relevant audit staff and key managers, users and recipients of the services/products of the area under review. Once the participants of the workshop have been identified, the necessary authority to involve the nominated participants should be obtained. Appropriate briefing material should be issued to all personnel to be involved in the initial workshop. This material should include at a minimum: - workshop agenda; - objectives; - an overview of the management attributes; and - background information of the area under review. The briefing material should be issued to participants well in advance of the workshop session. The Director Internal Audit or Senior Internal Auditor should subsequently contact the participants to determine whether further information or clarification is necessary. Conduct the Workshop The workshop should be facilitated by the Director Internal Audit or Senior Internal Auditor as it is important that overall control and focus is maintained. The workshop must be tailored to the area under review to ensure it is relevant and achieves the audit objectives. The workshop should incorporate at a minimum: - an overview of the management attributes; - an exercise to rank the importance of the management attributes; - a discussion of the key activities and processes; and - the identification of performance indicators. Revise the Project Focus Based on the outcome of the workshop the auditor should now understand which attributes are the most critical and why, the performance indicators relevant to the area and the direction of the audit. This information should be used to revise the focus of the audit. The audit plan should be updated to reflect any change in the initial focus. STAGE 2 - Execution Phase 3 - Review of Key Activities and Processes Identify Key Activities and Processes This work draws on the information gathering and preliminary work performed in the planning stage. It is now necessary to perform a detailed analysis of the information obtained. This entails examining in detail the functions, activities and processes that support the achievement of management's strategic goals and objectives for the area under review. The focus should be on core business activities that are critical to success and most highly valued by customers / stakeholders. It is important to remember that the key business activities provide the link between the operation of the business and its strategic objectives. It is not possible to develop a predictable list of operational functions and activities or predict the number of operational activities that exist. However, there should only be a limited number of critical activities identified within the area under review. Document Key Activities and Processes Within the key activities, it is important to identify the mission critical job elements or processes. These will be the most important tasks and decisions that must be performed well to successfully achieve goals and objectives. To document the key activities and supporting processes, overview flowcharts or narratives should be prepared. This documentation is designed to assist us understand the effectiveness of the area and identify its information management problems and opportunities. As such, we should not spend too much time on detail. It is important however, to identify the key document or information flows for each of the core processes. Documenting the key activities and processes should be performed in conjunction with a knowledgeable member of the auditee staff. Process Review Having identified and documented the core business activities and processes, these should be recorded and analysed on a process review worksheet. The process review requires that management attributes, workload indicators and key performance indicators are identified for the key activities and processes documented. An analysis of this information is required to provide an indication of: - whether effectiveness is being achieved for the activities being examined; - whether the necessary performance measurement and reporting mechanisms are in place; - the types of information that will need to be gathered from the management interviews and surveys; and - the matters to be followed up in more detail. Phase 4 - Interviews and Surveys The interviews and surveys are designed to obtain information from management, customers, competitors, employees and major stakeholder groups in a structured manner to assist in the evaluation of effectiveness. Identify Personnel for Interviews and Surveys In conjunction with the auditee, a list of managers, customers, competitors, employees and major stakeholder groups to be interviewed and surveyed should be compiled. When interviews are to be used, contact should be made with the relevant managers to discuss the purpose of the interview and to arrange a mutually convenient date, time and location. Surveys should be used instead of interviews to target a wider audience in a efficient and effective way. When surveys are to be used, approvals for the surveys should be obtained and the survey method, dates and times established. Tailor Questionnaires and Surveys To ensure that the interviews and surveys are conducted efficiently, it is important that they are relevant and appropriately structured and focussed. This requires careful review of the information collected to date and an understanding of the additional information required to complete the assessment. The interviews and surveys should be tailored to capture the information required, with particular attention being given to the attributes relevant to the particular management or stakeholder group. Conduct Interviews and Surveys The interviews and surveys should be carefully managed by keeping them to a minimum length. It is important to outline the purpose of the interview or survey and to ensure confidentiality. Interviews may be conducted in a discussion mode or by allowing the participant to complete the questions prior to the discussion. Clear, concise notes should be taken during the interview to avoid having to reconfirm issues with management. Obtaining co-operation for the survey process is critical to the successful performance of the surveys. Surveys may be conducted either by phone or the mail out of survey forms. If conducting the surveys by phone, it is important to arrange a suitable time to reduce the disruption to the participant and to minimise interruptions during the process. Collate Results When the interviews and surveys have been completed, it is necessary to summarise the results. The outcomes of the interviews and surveys should be analysed and the results interpreted. Common indicators or issues may be identified that will assist in the performance analysis phase. Phase 5 - Performance Analysis Performance Analysis Summary Throughout the previous phases, the information gathering has focussed on the various activities and processes which support the area under review. During this process the information on the activities and processes has been related back to the management attributes for assessing the levels of effectiveness. It is now important to draw this information together to formally assess the level of effectiveness achieved for each attribute. This process is facilitated by completing the performance analysis summary which is used to summarise the findings and issues for each of the management attributes. This document is used as the basis for the independent review and also for discussions at the management workshop. Independent Review of Performance Analysis The purpose of this review is to ensure the quality of the analysis and interpretations recorded for the area under review. This should be performed by the Director Internal Audit and/or in discussion with other members of the audit team. The review should be performed by examining the workpapers and performance analysis summary worksheets to ensure that the assessment reflects an understanding of the area, the representations are balanced and the outcome is a positive contribution to the area under review. STAGE 3 - Reporting Phase 6 - Management Workshop The purpose of the management workshop is to confirm all findings made to date, discuss potential solutions and to gain management's acceptance/commitment to the findings/recommendations. Arrange the Management Workshop Typically the workshop should be attended by the personnel involved in the planning workshop in phase 3. However, it may become apparent during the review that other personnel should be involved or it may be more appropriate to involve only those personnel from the area under review. The workshop should be scheduled at a convenient time for the agreed participants. All personnel attending the workshop should have a common understanding of the purpose of the workshop and the approach to be taken in the conduct of the workshop. Appropriate briefing material should be issued in advance of the workshop and may include: - workshop agenda; - outline of the audit process; and - the performance analysis summary worksheets or a summary of findings for discussion. Conduct the Management Workshop The workshop should be facilitated by the Director Internal Audit or Senior Internal Auditor to ensure the workshop is conducted in a productive manner. The findings should be presented for discussion to enable the participants to present suggestions or options not previously considered. The workshop should be a two way presentation with all participants encouraged to be involved in open discussion. It is important to remember that the aim of the workshop is to receive assurance from management that: - all issues have been addressed; - findings are complete and accurate; and - the recommendations are relevant and practical. The major outcome of the workshop should be the ideas and suggestions from management in response to the review findings. The feedback from the workshop should be documented for incorporation into the final report. Phase 7 - Reporting Prepare Report As a result of the workshop, the basic content of the report should be finalised. The final report should reflect a balanced view by providing both positive comments (covering areas that are well managed or where initiatives have been taken) as well as identifying opportunities for improvement with appropriate recommendations. The draft report should now be prepared which draws all the critical findings together (Refer to Section 18 of these procedures). Present Report For the report to gain maximum acceptance, it is important that it does not contain any surprises. Resistance to the report should have been minimised through the management workshop. It is suggested that before formally issuing the final report, the management of the area under review have the opportunity to approve the final contents. Guidelines on the issue or presentation of the final report are covered in Section 18 of these procedures. Section 32 - Special Investigations Introduction Special investigations will be conducted with the urgency and priority established at the time the investigation is requested or the circumstances determine. From time to time, the Internal Audit Area is called upon to perform special investigations. These, unfortunately, often relate to investigating an incidence of fraud or other type of misconduct, as described under the Corruption and Crime Commission Act 2003 (WA). In such cases, the Integrity and Standards Officer may be contacted and requested to perform the investigation or work with the Internal Audit area on the investigation. However, they may also be urgent investigations of an aspect of operations which do not fit the "traditional" definitions of compliance audits (e.g. investigating the effectiveness of destruction of confidential documents) and cannot be scheduled as part of the normal audit program. In these cases, an Internal Auditor will be contacted to perform the investigation. In all cases, the Chair of the Audit Committee is to be notified and permission sought for the work to be done (as per resolution made at the Audit Committee meeting held on 14 November 2003).
